How to protect your organisation from credential stuffing

With password managers and MFA no longer enough to keep organisations secure, it’s easy to see why biometrics is getting C-suite buy-in. 

There are tens of billions of credential-stuffing attacks every year – and those are just the ones authorities have detected. With password managers and MFA no longer enough to keep organisations secure, leaders are seeking more sophisticated solutions that minimise the risk and cost of a breach. 

Credential stuffing: A quick explainer

Rather than the traditional strategy of hackers ‘guessing’ passwords from a comprehensive list of common terms, credential stuffing is a brute-force attack that uses lists of known – and valid – credentials that have been pooled from data breaches. Hackers then use automated bots to test those known usernames and passwords in order to gain access to an organisation’s sensitive data. 

Because of its simplicity and speed, credential stuffing has become one of the most popular ways for cybercriminals to penetrate an organisation’s defences – made even more worrisome for businesses when you consider that 86% of Australia’s top websites are unable to detect bot attacks. 

Your sensitive information is flowing free in the internet’s backwaters

Data breaches make major headlines these days, with companies decrying the financial cost – as well as the huge swathes of stolen credentials – but it’s the long-term impact of those breaches that continues to threaten organisations. This is because the stolen data is spread online by hackers, whether it’s made freely available or sold to the highest bidder. One recent dump of credentials nicknamed Collections #1–5 found hackers had access to billions of private credentials. 

Like most data breaches, the common denominator is human error. There is an ingrained problem with people re-using the same usernames and passwords across multiple platforms. If one of your employee’s personal Netflix, eBay or LinkedIn accounts get hacked, for example, there’s a decent chance they could be using the exact same credentials to access your sensitive organisational data. Then there’s the added threat of phishing emails, which often appear legitimate enough to fool even the savviest of users. And the organisation itself may not have adequate software protections in place to stave off insidious attacks. 

This is a real problem because credential-stuffing attacks are becoming more sophisticated and more frequent every day. Automated bots made over 30 billion attacks in 2018 alone. And with that figure rising, it’s easy to understand why the C-suite are seeking to deploy a cost-effective security strategy that can resist such a gargantuan threat to their sensitive data. 

What’s the solution?

The good news is that protection measures come in a variety of forms. But not all are created equal. It’s tempting to deploy a quick and easy solution. This generally involves setting up a password management tool that eliminates the tedious – and risky – task of generating and retrieving complex passwords. The passwords are housed in a user-friendly tool and stored on an encrypted database, meaning the user no longer has to remember a dozen lengthy passwords, or keep re-using the same username and password across all their accounts. 

But despite password managers reducing an organisation’s risk against duplicate credentials – and thus credential stuffing – they come with their own inherent issues. They can even open up your business to greater threats. One recent study found major security flaws in the five most popular password managers, with the biggest worry being it makes users more vulnerable to targeted malware attacks. 

IT teams may encourage their employers to go for a smarter protection tool in multi-factor authentication (MFA). While this is a step in the right direction, MFA on its own isn’t enough to protect an organisation. For example, Russians targeting the 2016 presidential election had a detailed plan for harvesting MFA confirmation codes in much the same way as they snatch passwords. Even the FBI warns that MFA is a measure that hackers are finding easier to defeat. For MFA methods to be truly effective, they must be used in conjunction with strong identity-based authentication solutions.  

The future is passwordless authentication

There is another solution that is quickly gaining traction among security experts, especially against the growing threat of credential stuffing: biometrics. 

Organisations reliant on easily hackable usernames and passwords open themselves up to a world of risks – both financial and reputational. Biometrics, however, is built around a number of core tenets, including identity management and access management. That means passwords are taken out of the equation, and you don’t have to worry about phishing scams opening up your business to widespread damage. 

Choosing an expert biometrics provider like Daltrey means your organisation receives a streamlined, secure experience across all access points. More importantly, user identity is controlled. With DaltreyID, for example, every individual who interacts with your organisation gets a unique biometric credential, which allows for a more convenient and secure authentication experience – and eliminates the threat of bad actors making a credential-stuffing attack on your business. 


The dangers of credential stuffing are all too real for organisations around the world. But there is a solution – one that is far superior to password managers and multi-factor authentication. Learn about Daltrey’s unique biometric solution today.